Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit-Malware Freezing computer, Blocking Restore Points and disabling firewal


  • This topic is locked This topic is locked
4 replies to this topic

#1 ronye235

ronye235

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 30 December 2014 - 01:24 AM

I downloaded a piece of youtube/video downloader software form the Softopedia website and then tried to remove it later. One was a huge clunky piece of crap that didn't end up working but that kept asking for permissions from Comodo Firewall as I tried to get it to work

A week or two later after I tried to uninstall the programs within a few days later I started noticing that Firefox started to freeze. i though it was internet slowdown of the websites or google maps.
I then found it hard to click on the start menu and other parts of software on windows. It stated to totally freeze up until I couldn't use the mouse to click.

I tried to do a restore point and it wouldn't work. It blocked/erased the restore points up to only a few days before. It also started blocking Avast. I was only able to get a restore point from my last back up ...in May. that seemed to work after 2 days of trying different things and different malware programs

It seemed like like it worked and I removed all the antivirus and firewall and put in new one and continued using the computer. IT felt that there was still something going on as it the computer sounded weird as if its struggling. It seemed like everything was fine and I using it but I kept trying different anti malware programs.

none of them would find anything....I tried Comodo Cleaning Essentials today and it found
something in Avast

Program file\Avast\Software\Avast\ng\vbox\VBoxDD2GC.gc

When the program cleaned it the same thing started happening, it stared getting hard to use the mouse and click on programs. it started blocking the anti virus. Tried different malware removers none showed anything. It wiped is\ hiding the restore points and I had to go to the back up to redo everything again

Currently I put in all new anti virus and firewall but its BLOCKING them. It was blocking me from removing old Comodo, and I dont think it s allowing the new one.
Its blocking the Windows Security centre, but I am able to use the Windows firewall.
its blocking avast and comodo from working and stopping some malware removers

 

dds LOGS

-------------

 

DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 9.0.8112.16455
Run by MohenDaro at 23:42:01 on 2014-12-29
Microsoft Windows 7 Ultimate   6.1.7601.1.1252.1.1033.18.3527.2184 [GMT -5:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: COMODO Antivirus *Disabled/Outdated* {FEEA52D5-051E-08DD-07EF-2F009097607D}
FW: COMODO Firewall *Enabled* {7DB03214-694B-060B-1600-BD4715C36DBB}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\SuperAnti2\SASCORE.EXE
C:\Program Files\SuperAnti2\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_16_0_0_235.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.yahoo.com?fr=fp-comodo
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
TB: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
uRun: [GUDelayStartup] "c:\program files\glary utilities 5\StartupManager.exe" -delayrun
uRun: [SUPERAntiSpyware] c:\program files\superanti2\SUPERAntiSpyware.exe
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtkNGUI.exe -s
mRun: [RtHDVBg_DTS] c:\program files\realtek\audio\hda\RtHDVBg.exe /DTSU2P
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AvastUI.exe] "c:\program files\avast software\avast\AvastUI.exe" /nogui
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: SoftwareSASGeneration = dword:1
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{F3C8A143-F474-453C-AC86-3B6CEE70D6F9} : DHCPNameServer = 192.168.0.1
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
SSODL: WebCheck - <orphaned>
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\39.0.2171.95\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mohendaro\appdata\roaming\mozilla\firefox\profiles\ija24qlj.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\google\update\1.3.21.169\npGoogleUpdate3.dll
FF - plugin: c:\program files\tracker software\pdf viewer\npPDFXCviewNPPlugin.dll
FF - plugin: c:\users\mohendaro\appdata\roaming\mozilla\firefox\profiles\ija24qlj.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_16_0_0_235.dll
.
============= SERVICES / DRIVERS ===============
.
R0 asahci32;asahci32;c:\windows\system32\drivers\asahci32.sys [2011-9-21 43104]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2013-3-2 242240]
R2 !SASCORE;SAS Core Service;c:\program files\superanti2\SASCore.exe [2014-7-22 142648]
R3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\drivers\asmthub3.sys [2011-11-3 102888]
R3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\drivers\asmtxhci.sys [2011-11-3 313832]
S0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2014-12-29 49944]
S0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [2014-12-29 206248]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [2014-12-29 787800]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [2014-12-29 423784]
S1 GUBootStartup;GUBootStartup;c:\windows\system32\drivers\GUBootStartup.sys [2014-12-29 17344]
S1 SASDIFSV;SASDIFSV;c:\program files\superanti2\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superanti2\SASKUTIL.SYS [2011-7-12 67664]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2014-12-29 24184]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2014-12-29 70384]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys [2014-12-29 91496]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2014-12-29 50344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2012-7-9 104912]
S2 DragonUpdater;COMODO Dragon Update Service;c:\program files\comodo\dragon\dragon_updater.exe [2014-11-27 2370240]
S2 DTSAudioSvc;DTSAudioSvc;c:\program files\realtek\audio\hda\DTSU2PAuSrv32.exe [2013-3-2 182272]
S2 Intel® PROSet Monitoring Service;Intel® PROSet Monitoring Service;c:\windows\system32\IPROSetMonitor.exe [2013-3-2 117920]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-11-13 14848]
S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]
S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2012-11-13 24064]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-11-13 49664]
S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2012-11-13 27136]
S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]
.
=============== Created Last 30 ================
.
2014-12-30 03:53:11    --------    d-----w-    c:\users\mohendaro\appdata\roaming\QuickScan
2014-12-30 01:55:59    62576    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{4c557ede-774d-4bfe-a7bc-a6a165f251b7}\offreg.dll
2014-12-30 01:20:39    --------    d-----w-    c:\program files\SuperAnti2
2014-12-30 00:51:03    --------    d-----w-    c:\users\mohendaro\appdata\local\Comodo
2014-12-30 00:51:02    48392    ----a-w-    c:\windows\system32\certsentry.dll
2014-12-30 00:13:33    --------    d-----w-    c:\users\mohendaro\appdata\roaming\AVAST Software
2014-12-30 00:03:22    91496    ----a-w-    c:\windows\system32\drivers\aswStm.sys
2014-12-30 00:03:22    70384    ----a-w-    c:\windows\system32\drivers\aswMonFlt.sys
2014-12-30 00:03:22    49944    ----a-w-    c:\windows\system32\drivers\aswRvrt.sys
2014-12-30 00:03:22    206248    ----a-w-    c:\windows\system32\drivers\aswVmm.sys
2014-12-30 00:03:21    81768    ----a-w-    c:\windows\system32\drivers\aswRdr2.sys
2014-12-30 00:03:21    787800    ----a-w-    c:\windows\system32\drivers\aswsnx.sys
2014-12-30 00:03:21    24184    ----a-w-    c:\windows\system32\drivers\aswHwid.sys
2014-12-30 00:03:08    43152    ----a-w-    c:\windows\avastSS.scr
2014-12-30 00:02:12    --------    d-----w-    c:\program files\AVAST Software
2014-12-29 23:52:15    119000    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-12-29 23:52:09    79576    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-12-29 23:52:09    51928    ----a-w-    c:\windows\system32\drivers\mwac.sys
2014-12-29 23:52:09    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-12-29 23:52:08    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-12-29 23:30:12    --------    d-----w-    c:\programdata\GlarySoft
2014-12-29 23:13:52    17344    ----a-w-    c:\windows\system32\drivers\GUBootStartup.sys
2014-12-29 23:13:52    --------    d-----w-    c:\users\mohendaro\appdata\roaming\GlarySoft
2014-12-29 23:13:52    --------    d-----w-    c:\users\mohendaro\appdata\roaming\DiskDefrag
2014-12-29 23:13:50    --------    d-----w-    c:\program files\Glary Utilities 5
2014-12-29 22:52:30    --------    d-----w-    c:\program files\VS Revo Group
2014-12-29 22:30:11    --------    d-----w-    c:\windows\system32\wbem\repository
2014-12-29 22:10:56    9054624    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{4c557ede-774d-4bfe-a7bc-a6a165f251b7}\mpengine.dll
2014-12-29 20:00:33    --------    d-----w-    C:\FRST
2014-12-29 19:16:40    --------    d-----w-    c:\windows\ERUNT
2014-12-29 16:19:13    --------    d-----w-    C:\CCE_Quarantine
2014-12-19 02:59:22    --------    d-----w-    c:\programdata\Sophos
2014-12-19 02:57:49    --------    d-----w-    c:\program files\Sophos
2014-12-18 23:53:12    --------    d-----w-    c:\windows\system32\vbox
2014-12-18 23:34:40    --------    d-----w-    c:\program files\Malware Bytes 2
2014-12-18 23:23:12    --------    d-----w-    c:\program files\Mozilla Maintenance Service
2014-12-18 23:18:04    --------    d-----w-    c:\program files\common files\COMODO
2014-12-18 18:58:33    --------    d-----w-    c:\program files\ESET
2014-12-18 17:54:56    --------    d-----w-    c:\users\mohendaro\appdata\roaming\Comodo
2014-12-18 15:43:40    --------    d-----w-    c:\users\mohendaro\appdata\roaming\SUPERAntiSpyware.com
2014-12-18 15:43:28    --------    d-----w-    c:\programdata\SUPERAntiSpyware.com
2014-12-18 15:43:28    --------    d-----w-    c:\program files\SUPERAntiSpyware
2014-12-18 15:17:14    --------    d-----w-    c:\program files\UVK - Ultra Virus Killer
2014-12-18 02:12:40    --------    d-----w-    C:\EEK
2014-12-17 23:50:45    --------    d-----w-    C:\AdwCleaner
2014-12-09 20:57:23    --------    d-----w-    c:\users\mohendaro\appdata\roaming\com.adobe.formscentral.FormsCentralForAcrobat
2014-12-09 19:15:11    --------    d-----w-    c:\users\mohendaro\appdata\local\ElevatedDiagnostics
2014-12-09 18:53:40    --------    d-----w-    c:\programdata\regid.1986-12.com.adobe
2014-12-09 18:02:33    --------    d-----w-    c:\users\mohendaro\appdata\roaming\AbleWord
.
==================== Find3M  ====================
.
2014-12-29 23:34:56    71344    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl

 



BC AdBot (Login to Remove)

 


m

#2 ronye235

ronye235
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 30 December 2014 - 01:37 AM

My computer is a reg computer/ workstation

Windows 7, Service Pack 1
Intel ICore i7-3820 CPU @ 3.60GHz,
RAM: 3526 Mb
Graphics Card: NVIDIA GeForce GTX 660 Ti

Motherboard: ASUS

 

No Antivirus is working. I was able to turn on the Windows firewall

Its disabling alot of anti malware programs, since I did this last restore point.

 

"Program file\Avast\Software\Avast\ng\vbox\VBoxDD2GC.gc"

 

I did as search for vbox and its part of Java or Oracle Virtual Box. At one point I had Java on for an online class and it was left on incase I still needed it later.

 

I found this bit of info at :

http://r.virscan.org/report/20c65bf482136ae6fd68955087aacb23

 

File information

File Name : VBoxDD2GC.gc (File not down) File Size :12672 byte File Type :application/x-dosexec MD5:2b147d966d5fb34e31ab5aa5e032dc20 SHA1:629917e3d87f85380f473216cdfb1370bc0eda0f Scanner Engine Ver Sig Ver Sig Date Scan result Time comodo 15023 5.1 2014-11-08 Heur.Packed.Unknown 3

 

Other programs that found it

http://r.virscan.org/report/20c65bf482136ae6fd68955087aacb23

 

I did find a Heur.Packed.Unknown in Comodo as part of a search from a scan program

and it showed up as Heur.Packed.Unknown@4294967295

 

this was in the list of virus scanners

qh360 1.0.1 1.0.1 1.0.1 Win32/Trojan.6b9 13

I think Hq360 is Norton


Edited by ronye235, 30 December 2014 - 01:32 PM.


#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 03 January 2015 - 10:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download Malwarebytes' Anti-Malware from Here

Double-click mbam-setup-2.X.X.XXXX.exe to install the application (X's are the current version number).
  • Make sure a checkmark is placed next to Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once MBAM opens, when it says Your databases are out of date, click the Fix Now button.
  • Click the Settings tab at the top, and then in the left column, select Detections and Protections, and if not already checked place a checkmark in the selection box for Scan for rootkits.
  • Click the Scan tab at the top of the program window, select Threat Scan and click the Scan Now button.
  • If you receive a message that updates are available, click the Update Now button (the update will be downloaded, installed, and the scan will start).
  • The scan may take some time to finish,so please be patient.
  • If potential threats are detected, ensure that Quarantine is selected as the Action for all the listed items, and click the Apply Actions button.
  • While still on the Scan tab, click the link for View detailed log, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
  • The log is automatically saved by MBAM and can also be viewed by clicking the History tab and then selecting Application Logs.
POST THE LOG FOR MY REVIEW.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
===

Please paste the logs in your next reply DO NOT ATTACH THEM unless specified.
To attach a file select the "More Reply Option" and follow the instructions.

How is the computer running?
Wait for further instructions.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 07 January 2015 - 10:59 AM


Thank you so much for taking the time to reply. I did some stuff my self by trying different programs to help stabilize the computer and I got help from another website for a final purge and clean up which i'm trying now

Thank you for the feed back.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,246 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:00 PM

Posted 07 January 2015 - 10:59 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users